The EU’s Cyber Resilience Act (CRA) has sparked concerns among industry experts regarding its vulnerability disclosure requirements. These concerns stem from the potential misuse of disclosed vulnerabilities by governments for intelligence or surveillance purposes.


Representatives from Google [2], the Electronic Frontier Foundation [2], and Trend Micro [2], among others, have expressed their worries about Article 11 of the CRA. They believe that the outlined vulnerability disclosure requirements could create new threats to the security of digital products and users. In an open letter signed by 50 cybersecurity professionals [1], they urge the EU to reconsider these provisions [1].

The experts propose a risk-based approach to vulnerability disclosure [2], taking into account factors such as severity [2], mitigations [1] [2], user impact [2], and likelihood of exploitation [2]. They also recommend explicitly prohibiting government agencies from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance [1] [2], or offensive purposes [1]. Additionally, the experts stress the importance of reporting only mitigatable vulnerabilities to agencies within 72 hours of effective mitigations becoming publicly available [1]. They argue that the CRA should not require reporting of vulnerabilities discovered through good faith security research [1], as these do not pose a security threat [1]. The experts reference ISO/IEC 29147 as the baseline for all EU vulnerability reporting in Article 11-1 of the CRA [1].


The vulnerability disclosure requirements in the EU Cyber Resilience Act have raised significant concerns among cybersecurity experts. The potential misuse of disclosed vulnerabilities for intelligence or surveillance purposes is a major worry. To address these concerns, experts recommend a risk-based approach to vulnerability disclosure and explicit prohibitions on government agencies using or sharing vulnerabilities for unauthorized purposes. The importance of timely reporting and distinguishing between mitigatable vulnerabilities and those discovered through security research is also emphasized. The implications of the CRA’s provisions on the security of digital products and users should be carefully considered and addressed to ensure a resilient and secure cyber environment.